AirGap Vault

Your old smartphone is your new ‘hardware wallet’

AirGap is a crypto wallet system, that let's you secure cypto assets with one secret on an offline device. The AirGap Vault application is installed on a is installed on a dedicated or old smartphone that has no connection to any network, thus it is air gapped. The AirGap Wallet is installed installed on an everyday smartphone.

Description

AirGap Vault is responsible for secure key generation, for this entropy like audio, video, touch and accelerator are added to the hardware random number generated. The generated secret is saved in the secure enclave of the respective mobile operating system only accessible by biometric authentication. Accounts for multiple protcols can be created and transactions prepared by the AirGap Wallet application without any network connection needed. The mobile application, AirGap Vault is a hybrid application (using the same codebase for Android and iOS which helps with coordinated development). Created using Ionic framework and AirGap's coin-lib to interact with different protocols and a secure storage implementation.

Security

The security concept behind air-gapped systems is to work with two physically separated devices, one of which has no connection to the outside world, any network. In the context of AirGap the component which has no internet connection is AirGap Vault. The two components, AirGap Vault and AirGap Wallet, communicate through URL schemes, these URLs can be simply provided with QR codes.

Key Generation

The entropy seeder uses the native secure random functionality provided by the system and concatenates this with the sha3 hash of the additional entropy. The rationale behind this is:

the sha3 hashing algorithm is cryptographically secure such that the following holds: entropy(sha3(secureRandom())) >= entropy(secureRandom())

adding bytes to the sha3 function will never lover entropy but only add to it such that the following holds: entropy(sha3(secureRandom() + additionaEntropy)) >= entropy(sha3(secureRandom()))

by reusing the hash of an earlier "round" as a salt we can incorporate the entire collected entropy of the previous round.

native secure random cannot be fully trusted because there is no API to check the entropy pool it's using